Microsoft to make security the priority

One of Microsoft's senior security consultants has claimed that the software giant’s recent security failings will soon be a thing of the past.

At a time when Microsoft’s claim that Windows XP is its most secure operating system ever is coming under increasing scrutiny, one of its senior security consultants has claimed that the software giant’s recent security failings will soon be a thing of the past.

Jim Hosmer, a senior consultant with Microsoft Consulting Services and in Dubai for a security workshop for business customers, believes that many of the security woes that have plagued the company throughout the last year had more to do with the environment that Windows was working in than the product itself.

“Security has always been an important Windows priority: if you look carefully at Windows 2000, for instance, you’ll notice that an enormous part of the product's deliverable is expressly focused on security,” commented Hosmer. “The places where we are having the most difficulty, from a security point of view, are where customers have retained a high level of old LAN implementations. These people have to be very careful about what they allow into their networks.”

Microsoft has had negative media coverage over the year, however, regarging a number of serious flaws discovered in its programmes: a flaw in Windows XP with Universal Plug and Play (UPnP) in which anyone that knew the Internet Protocol (IP) address of a specific PC could gain control of it through the Internet; the discovery that Explorer has around half a dozen bugs, one of which allows potential attackers the opportunity to send an HTML e-mail, which could in turn steal cookies or allow access to files and two worms, Code Red 2 and Nimda, which this summer hit Web servers running IIS.

“UPnP has not been that serious,” said Hosmer. “Although it could have been big, it wasn’t, as most people were protected through basic firewall protections. The correction was also very straightforward. With regard to Code Red and Nimda, they were extremely cleverly crafted worms that didn't exploit a new vulnerability, but many old, dead ones. In many cases Nimda was exploiting a vulnerability of administration, not the product.”

Hosmer explained by saying that in many instances, shared resources created on networks were done by users without applying proper access controls that were more restrictive than defaults.

“A big part of our security policy is to educate users how to authorise, securely, access to resources,” he continued. “But those three have caused the visibility. You will see this whole issue start to decline over the next year, however.”

A bold claim perhaps, but a recent leak from Redmond suggests that the company is finally coming to terms with its lapses. In an e-mail to Microsoft employees recently, Microsoft chairman Bill Gates said that the company intends to shift from a focus on features to spotlighting security and privacy.

“When we face a choice between adding features and resolving security issues, we need to choose security,” said Gates. “Our products should emphasize security right out of the box.”

The move could not come sooner: Windows XP's security has been criticised already: such is the seriousness of a new security loophole recently found in the OS, that the United States’ Federal Bureau of Investigation (FBI) issued a statement on the subject.

A full interview with Jim Hosmer of Microsoft Consulting Services will feature in the March edition of Windows Middle East.